Are we more “Open” to Authorised Push Payment (APP)

UK Finance published its Annual Fraud Report in May 2023, which detailed the amount of money, reported by UK Finance members, that was stolen by criminals through financial fraud during 2022. It reported that over £1.2 billion was stolen by criminals through authorised and unauthorised fraud in 2022, equivalent to approximately £2,300 every minute. Unauthorised fraud is where the account holder themself does not provide authorisation and the transaction is carried out by a criminal (for example, the victim’s card details are used without their knowledge or consent). Conversely, for authorised fraud to happen – and this accounts for 40% of all fraud reported in the UK - the customer was tricked into authorising a payment to a bank account controlled by a criminal.   

Authorised Push Payment (APP) related fraud losses reached £485.2 million in 2022, down 17% compared to 2021. Within this category, 57% of all reported cases are related to purchase fraud. Investment fraud continued to be one of the largest APP-type losses (24%), although there was a 34% reduction compared with 2021. Overall, the amount of APP fraud losses reimbursed increased by 5% in 2022 compared to the previous year. That’s where the bank assessed the evidence of the case and moved funds back into the account. Unfortunately, not all funds are recovered from the fraudster.

APP fraud may be down in 2022 as reported by UK Finance, however, it remains a persistent and huge problem. As Open Banking in the UK gathers momentum, could it introduce new avenues and potential risks that scammers could exploit? APP scams, also known as bank transfer scams, involve fraudulent schemes where individuals or businesses are tricked into authorizing a payment to a scammer. These scams exploit the trust and reliance people place on their banks. It is a problem that is persistent, and it has not yet been solved.  

In an APP scam, the fraudster typically poses as a legitimate entity, such as a company, government agency, or even a friend or family member. They manipulate their victims into believing that they need to make a payment or transfer funds to a specified account for various reasons, such as paying an invoice, settling a debt, or assisting with a financial emergency. The scammer may use various methods to deceive the victim, including impersonating a trusted organization through emails, phone calls, or text messages. They often employ social engineering techniques to manipulate the victim's emotions, creating a sense of urgency or fear to pressure them into making the payment quickly. A common example would be where the scammer sends an email, purporting to be from a known supplier, with an attached invoice. The email may appear genuine, complete with the supplier's logo, contact information, and accurate details of a previous transaction or ongoing business relationship. To create a sense of urgency, the scammer may emphasize a deadline for payment or threaten disruptions to services or delivery if the payment is delayed. They might also stress the confidential nature of the new account details, urging the victim not to share the information with others. The Payment Systems Regulator (PSR) has just confirmed new requirements for banks and payment companies that will ensure more people than ever before will get their money back if they are a victim of APP fraud. This is the right move for the industry.

Once the victim agrees to make the payment, they are provided with the scammer's bank account details. Believing they are transferring funds to a legitimate recipient; the victim initiates the bank transfer or payment through online banking or other methods. Unfortunately, the funds are sent directly to the scammer's account, and by the time the victim realizes they have been defrauded, it is too late!

Open Banking is a system that allows consumers to share their financial data securely and with their consent, typically through Application Programming Interfaces (APIs), to third-party financial service providers. Open Banking aims to enhance competition, innovation, and consumer control over their financial information. Could Open Banking open the door to new ways for the scammers, such as authorised payment scams?

Open Banking allows authorised third-party providers to access consumers' financial data with their consent. This can include transaction details, account balances, and payment information. If a scammer gains access to a consumer's open banking credentials, they may have a broader understanding of the individual's financial situation, making their impersonation attempts more convincing. With open banking, consumers, and businesses, can link their bank accounts with various third-party applications and services. While these applications go through a vetting process, there is still a possibility that malicious or fraudulent providers could deceive users and misuse their banking information. Open Banking APIs facilitate the movement of funds between different financial accounts, making it easier for scammers to orchestrate fraudulent transfers. By exploiting vulnerabilities in the ecosystem or leveraging compromised credentials, scammers could initiate unauthorized payments through open banking channels. Moreover, fraudsters are using Artificial Intelligence (AI) algorithms to analyse large volumes of social media data and other online information to gather personal details about potential targets.

To protect against such scams, it is crucial to verify any changes in payment details directly with the known supplier through a trusted contact method, such as a verified phone number or email address. Comparing the new details against existing records, rather than relying solely on the information provided in unsolicited emails, can help identify potentially fraudulent activity. Additionally, establishing robust payment verification processes within organizations and training employees to recognize and report suspicious requests can further mitigate the risk of falling victim to APP scams.

There is an ongoing battle between banks and fraudsters. By leveraging advanced machine learning techniques and collaborative data sharing, financial institutions are strengthening their fraud prevention capabilities to safeguard their customers and maintain the integrity of the financial ecosystem. Only time will tell who will win this battle between the banks and the fraudsters.

The content of this article does not reflect the official opinion of Edgar, Dunn & Company. The information and views expressed in this publication belong solely to the author(s).